On OPNsense 25.7.6 (also reproducible on 25.7.5), editing Outbound NAT and clicking Save + Apply causes the Firewall Categories registry to be truncated/removed. Reproducible for me 100%. Also occurring when making changes in the firewall rules.
https://github.com/opnsense/core/issues/9319#issue-3551528582
Since this seems to be a serious issue please edit it to follow the mandatory template so it gets developer attention. If you check the history you will find that it was automatically lowered in priority because you deleted the form instead of filling it in properly.
Thank you.
Since this is a HA it looks like this is a sync issue between the two boxes and the categories are dropped for the correct reasons, just not the expected ones.
Can you show the actual config history diff of the save + apply?
Keep in mind to state if this happens on the master or the backup. Categories also live in MVC code, not in legacy outbound NAT code (and configuration spot) so this interference seems less likely as a general bug concept.
Cheers,
Franco
I hope I can provide what you need. I'm very new to OPNsense.
Sync is set to only go from master to backup. All changes that would cause a XMLRPC Sync are from the master.
I've confirmed that any firewall rule change wipes most, but not all, categories, not just NAT changes. Simply editing a rule comment, saving - but not applying - is enough.
Between two normal configuration saves, a trivial rule-description edit triggered firewall_rules_edit.php to rewrite the entire Firewall section and erase most category entries.
--- config-before.xml 2025-10-30 18:31:50
+++ config-after.xml 2025-10-30 18:33:38
@@ -1300,7 +1300,7 @@
- <descr>AWS Host Access</descr>
+ <descr>AWS Access</descr>
<direction>in</direction>
<category>LAN Outbound,Client Computers</category>
<quick>1</quick>
@@ -1620,8 +1620,8 @@
- <description>Restored sections (OPNsense.Firewall.Category) of config file</description>
- <time>1761867110.30</time>
+ <description>/firewall_rules_edit.php made changes</description>
+ <time>1761867218.71</time>
@@ -5200,7 +5200,7 @@
- <Category version="1.0.0" persisted_at="1761862180.86">
+ <Category version="1.0.0" persisted_at="1761867218.63">
<categories>
<category uuid="xxxxxxx-...">
<name>SYNC</name>
@@ -5210,40 +5210,10 @@
- <category uuid="...">
- <name>Networks</name>
- </category>
- <category uuid="...">
- <name>VPN</name>
- </category>
- <category uuid="...">
- <name>ICMP</name>
- </category>
<category uuid="...">
<name>TCP Ports</name>
</category>
<category uuid="...">
<name>Firewall</name>
</category>
- <category uuid="...">
- <name>Apple Devices</name>
- </category>
- <category uuid="...">
- <name>Garage Door Devices</name>
- </category>
- <category uuid="...">
- <name>TV & Streaming</name>
- </category>
<category uuid="...">
<name>Client Computers</name>
</category>
<category uuid="...">
<name>Peripherals</name>
</category>
The only intentional change was a rule description (AWS Host Access → AWS Access). The GUI save was performed via /firewall_rules_edit.php. Immediately after saving, the <OPNsense><Firewall><Category> node was rewritten. Dozens of category entries vanished—only 5–6 remained.
Are these categories shown as is? They do not look like a category created through the GUI.
Here's an example:
% pluginctl -g OPNsense.Firewall.Category
{
"@attributes": {
"version": "1.0.0"
},
"categories": {
"category": {
"@attributes": {
"uuid": "ebdbc9a8-7a43-47e3-b35f-098a77950d5f"
},
"name": "Foobar",
"auto": "0",
"color": "ff0000"
}
}
}
There's both auto and color here.
Cheers,
Franco